Why it matters

Suffered a cyber attack over the last year? Members of Congress want to hear about it, and all financial institutions should be prepared to competently respond to government inquiries if they are a victim of data breach.

In letters to 16 financial institutions, federal legislators requested information about data security and whether the bank had been subjected to any cyber attacks over the previous year. Sen. Elizabeth Warren (D-Mass.) and Rep. Elijah Cummings (D-Md.) asked entities detailed questions about the protections in place for sensitive data and the scope and impact of any attacks they may have suffered. In addition to answers, the lawmakers instructed the recipients to provide a briefing from their chief IT security professional. “Your company’s knowledge, information and experience will be helpful as Congress examines federal cybersecurity laws, and any necessary improvements to protect sensitive consumer and government information,” the lawmakers wrote, noting that law enforcement officials have identified the U.S. financial sector as “one of the most targeted in the world” for cyber crime.

Detailed discussion

Focusing on cybersecurity, two lawmakers called on financial institutions to provide perspective on their experience over the past 12 months. Sen. Warren and Rep. Cummings cited statistics that 500 million records have been stolen from various financial institutions as a result of cyber attacks over the last year, with 80 percent of the hacking victims unaware of the breach until informed by federal investigators. And press reports about recent bank victim, JPMorgan Chase, indicated that the hackers may have tried to breach the security protections at other institutions, the lawmakers said.

“The increasing number of cyber attacks and data breaches is unprecedented and poses a clear and present danger to our nation’s economic security,” Sen. Warren and Rep. Cummings wrote. “Each successive cyber attack and data breach not only results in hefty costs and liabilities for businesses, but exposes consumers to identity theft and other fraud, as well as a host of other cyber crimes. Your ability to protect consumers and safeguard their personal information is central to earning and maintaining consumer confidence in our economic system.”

To aid in federal oversight, the lawmakers requested the recipients – Automatic Data Processing, Inc., Bank of America, Bank of New York Mellon, Bank of the West, Citigroup, Deutsche Bank, E-Trade, Fidelity, GE, Goldman Sachs, HSBC, Morgan Stanley, PNC, Regions, U.S. Bank, and Wells Fargo – provide certain information.

If the company suffered any breaches or attempted hacks over the last year, the letter sought information about the date, manner, and method of intrusion used, when the institution first discovered the breach, and what types of data were accessed, as well as the number of customers affected and how they were notified of the breach.

Findings from investigative analyses and reports that may have identified vulnerabilities to malware or other reasons for the breach were also sought by the legislators, along with information about the individuals or entities thought responsible.

In the wake of the breach, what data protection improvement measures were undertaken by the institution? The letter also asked for an estimate of the number and value of fraudulent transactions connected to the data breach, including a breakdown of government customers.

For those institutions that have not suffered a breach, the lawmakers made inquiries about third-party relationships, asking for “a description of the data security policies and procedures that govern your relationships with vendors, third-party service providers, and subcontractors, including the manner by which your company ensures that entities performing work on your behalf have reasonable data security controls in place to thwart cyber attacks.”

Finally, the letter requested any recommendations that letter recipients might have “for improvements in cybersecurity laws or the coordination of efforts to identify and respond to emerging trends in cybersecurity risks to help prevent future data breaches.”

In addition to providing responses to the questions by December 19, the legislators requested a briefing from the financial institution’s chief IT security professional.

To read the letters from the lawmakers, click here.